feat: add tests for waf component

.github/workflows/rspec.yaml

@@ -0,0 +1,8 @@
+name: cftest
+
+on: [push, pull_request]
+
+jobs:
+  rspec:
+    uses: theonestack/shared-workflows/.github/workflows/rspec.yaml@main
+    secrets: inherit

.rspec

@@ -0,0 +1,2 @@
+--require spec_helper
+--format documentation

spec/cloudfront_spec.rb

@@ -0,0 +1,59 @@
+require 'yaml'
+
+describe 'cloudfront waf configuration' do
+
+  context 'cftest' do
+    it 'compiles test' do
+      expect(system("cfhighlander cftest #{@validate} --tests tests/cloudfront.test.yaml")).to be_truthy
+    end
+  end
+
+  let(:template) { YAML.load_file("#{File.dirname(__FILE__)}/../out/tests/cloudfront/waf.compiled.yaml") }
+
+  context 'Resource WebACL' do
+    let(:properties) { template["Resources"]["WebACL"]["Properties"] }
+
+    it 'has basic properties' do
+      expect(properties["Name"]).to eq({"Fn::Sub"=>"${EnvironmentName}-test-cloudfront-waf"})
+      expect(properties["Description"]).to eq("Test CloudFront WAF ACL")
+      expect(properties["Scope"]).to eq("CLOUDFRONT")
+      expect(properties["DefaultAction"]).to eq({"Allow"=>{}})
+    end
+
+    it 'has rules configured' do
+      rules = properties["Rules"]
+      expect(rules.length).to eq(2)
+
+      # Geo Block Rule
+      geo_rule = rules.find { |r| r["Name"] == "geo-block" }
+      expect(geo_rule["Priority"]).to eq(1)
+      expect(geo_rule["Action"]).to eq({"Block"=>{}})
+      expect(geo_rule["Statement"]["GeoMatchStatement"]["CountryCodes"]).to include("CN", "RU", "KP")
+
+      # XSS Protection Rule
+      xss_rule = rules.find { |r| r["Name"] == "xss-protection" }
+      expect(xss_rule["Priority"]).to eq(2)
+      expect(xss_rule["Action"]).to eq({"Block"=>{}})
+      expect(xss_rule["Statement"]["XssMatchStatement"]["FieldToMatch"]).to eq({"Body"=>{}})
+      expect(xss_rule["Statement"]["XssMatchStatement"]["TextTransformations"]).to include(
+        {"Priority"=>1, "Type"=>"NONE"}
+      )
+    end
+  end
+
+  context 'Outputs' do
+    let(:outputs) { template["Outputs"] }
+
+    it 'has web acl id' do
+      expect(outputs["WebACLId"]).to include(
+        "Value" => {"Ref"=>"WebACL"}
+      )
+    end
+
+    it 'has web acl arn' do
+      expect(outputs["WebACLArn"]).to include(
+        "Value" => {"Fn::GetAtt"=>["WebACL", "Arn"]}
+      )
+    end
+  end
+end

spec/default_spec.rb

@@ -0,0 +1,74 @@
+require 'yaml'
+
+describe 'default waf configuration' do
+
+  context 'cftest' do
+    it 'compiles test' do
+      expect(system("cfhighlander cftest #{@validate} --tests tests/default.test.yaml")).to be_truthy
+    end
+  end
+
+  let(:template) { YAML.load_file("#{File.dirname(__FILE__)}/../out/tests/default/waf.compiled.yaml") }
+
+  context 'Resources' do
+    let(:resources) { template["Resources"] }
+
+    context 'IPSet' do
+      let(:properties) { resources["wafrBlacklistIpSet"]["Properties"] }
+
+      it 'has basic properties' do
+        expect(properties["Name"]).to eq({"Fn::Join"=>["-", [{"Ref"=>"EnvironmentName"}, "wafrBlacklistIpSet"]]})
+        expect(properties["IPSetDescriptors"]).to include(
+          {"Type"=>"IPV4", "Value"=>"192.0.2.44/32"}
+        )
+      end
+    end
+
+    context 'Rule' do
+      let(:properties) { resources["wafrIPBlockRule"]["Properties"] }
+
+      it 'has basic properties' do
+        expect(properties["Name"]).to eq({"Fn::Join"=>["-", [{"Ref"=>"EnvironmentName"}, "wafrIPBlockRule"]]})
+        expect(properties["MetricName"]).to eq({"Fn::Join"=>["", [{"Ref"=>"EnvironmentName"}, "wafrIPBlockRule"]]})
+      end
+
+      it 'has predicates configured' do
+        expect(properties["Predicates"]).to include(
+          {
+            "DataId"=>{"Ref"=>"wafrBlacklistIpSet"},
+            "Negated"=>false,
+            "Type"=>"IPMatch"
+          }
+        )
+      end
+    end
+
+    context 'WebACL' do
+      let(:properties) { resources["wafrOwaspACL"]["Properties"] }
+
+      it 'has basic properties' do
+        expect(properties["Name"]).to eq({"Fn::Join"=>["-", [{"Ref"=>"EnvironmentName"}, "test-waf"]]})
+        expect(properties["MetricName"]).to eq({"Fn::Join"=>["", [{"Ref"=>"EnvironmentName"}, "TestWAF"]]})
+        expect(properties["DefaultAction"]).to eq({"Type"=>"ALLOW"})
+      end
+
+      it 'has rules configured' do
+        expect(properties["Rules"]).to include(
+          {
+            "Action"=>{"Type"=>"BLOCK"},
+            "Priority"=>1,
+            "RuleId"=>{"Ref"=>"wafrIPBlockRule"}
+          }
+        )
+      end
+    end
+  end
+
+  context 'Outputs' do
+    let(:outputs) { template["Outputs"] }
+
+    it 'has web acl id' do
+      expect(outputs["WAFWebACL"]).to eq({"Value"=>{"Ref"=>"wafrOwaspACL"}})
+    end
+  end
+end

spec/spec_helper.rb

@@ -0,0 +1,7 @@
+require 'yaml'
+
+RSpec.configure do |config|
+  config.before(:all) do
+    @validate = ENV['VALIDATE'] || ''
+  end
+end

tests/alb.test.yaml

@@ -0,0 +1,27 @@
+test_metadata:
+  type: config
+  name: alb
+  description: WAF configuration for ALB test
+
+scope: REGIONAL
+alb_arn: arn:aws:elasticloadbalancing:ap-southeast-2:012345678901:loadbalancer/app/my-alb/abcdef123456
+
+rules:
+  - name: rate-limit
+    metric_name: RateLimit
+    priority: 1
+    rate_limit: 1000
+    action: BLOCK
+
+  - name: xss-protection
+    metric_name: XSSProtection
+    priority: 2
+    action: BLOCK
+    rule_type: REGULAR
+    statement:
+      xss_match_statement:
+        field_to_match:
+          body: {}
+        text_transformation:
+          - priority: 1
+            type: NONE

tests/cloudfront.test.yaml

@@ -0,0 +1,36 @@
+test_metadata:
+  type: config
+  name: cloudfront
+  description: CloudFront WAF configuration test
+
+scope: CLOUDFRONT
+name: test-cloudfront-waf
+description: Test CloudFront WAF ACL
+
+rules:
+  - name: geo-block
+    metric_name: GeoBlock
+    priority: 1
+    action: BLOCK
+    rule_type: REGULAR
+    statement:
+      geo_match_statement:
+        country_codes:
+          - CN
+          - RU
+          - KP
+
+  - name: xss-protection
+    metric_name: XSSProtection
+    priority: 2
+    action: BLOCK
+    rule_type: REGULAR
+    statement:
+      xss_match_statement:
+        field_to_match:
+          body: {}
+        text_transformation:
+          - priority: 1
+            type: NONE
+
+default_action: ALLOW

tests/default.test.yaml

@@ -0,0 +1,25 @@
+test_metadata:
+  type: config
+  name: default
+  description: default waf configuration test
+
+control_ipset:
+  - name: wafrBlacklistIpSet
+    ipsetdescriptors:
+      - type: IPV4
+        value: 192.0.2.44/32
+
+wafrules:
+  - ruleid: wafrIPBlockRule
+    predicates:
+      - conditionName: wafrBlacklistIpSet
+        negated: false
+        type: IPMatch
+
+wafacl:
+  name: test-waf
+  metricName: TestWAF
+  rules:
+    - ruleid: wafrIPBlockRule
+      action: BLOCK
+      priority: 1